As technology continues to evolve, the benefits increase — and so do the risks.

Virtualization, mobilization and cloud technology have created new points of entry into businesses, leaving them vulnerable to covert cyber attacks. Executives at many organizations say it’s a struggle to contain the threats, and nearly impossible to thwart them.

Gap between where security is and where it needs to be

We interviewed more than 1,800 information security executives for the 2012 Global Information Security Survey, and 77% of them indicated an increase in external threats. Despite the enhancements companies have made, there is a gap between where security is and where it needs to be. Boards of directors are starting to take note, particularly members of the audit committee, who list cybersecurity among their top concerns.

High-profile cases, such as the alleged Iranian attack against US banks and a resurgence of attacks on US companies from Chinese hackers have shifted the IT conversation to cybersecurity.

Cybersecurity is not just a technology issue; it’s a business risk that requires an enterprise-wide response. Yet only 38% of the executives who responded to the recent survey said they align their information security strategy to the organization’s risk appetite and risk tolerance.

Potential consequences

Like the technology itself, the financial consequences of a cyber attack are often not well understood. Theft of funds and intellectual property is not the only risk. There are costs associated with losses of profits and business as well as the expenses associated with remediation.

A breach eventually could affect financial performance, ultimately reducing earnings per share and the company’s overall market value.

What we found

Most audit committee members are financially savvy, but they may lack a deep knowledge of technological issues. They may rely heavily on technology officers within the company to provide them with perspectives on IT risk management, but only 54% discuss information security in the boardroom quarterly or more frequently.

Companies want to increase operational flexibility, and 59% of those who responded to our survey said they have moved to the cloud or plan to do so. However, 38% of those moving to the cloud indicated that they haven’t done anything to mitigate the potential risks inherent in the cloud, such as legal, regulatory and compliance risks around data privacy.

Organizations must go beyond protecting the perimeter, focusing on protecting the data itself. It will take money and resources to train employees to keep information safe. However, only 22% of respondents said they plan to spend more on cybersecurity in the next 12 months.

What role should the audit committee play?

The company’s board should set the tone for enhancing security and determine whether the full board or a committee should have oversight responsibility. In some cases, a risk committee, executive/operating committee or the audit committee will be given the oversight charge.

Some audit committees may need better information about the company’s processes, and they should leverage that information to understand what oversight is necessary. They should understand whether management has the right people and processes in place.

The audit committee’s action plan will depend on the company’s level of maturity in managing security risks. It may require more attention and time in sectors where these risks and the potential for damages are highest, such as financial services institutions.

Depending on the circumstances, some boards of directors may want to consider bringing someone with a deep understanding of IT issues onto the board or audit committee.

Audit committees should inquire about the state of specific security programs and then ask for benchmarks. They should also ask for an explanation of the measures that are in place to prevent or detect attacks.

Download

Contact us

Related content

Video

Cybersecurity: a board-level concern

Cybersecurity is more than an IT issue – it’s a material concern that demands the board’s attention. As such, boards must address it and ensure that it’s mitigated effectively. Watch this video to learn more.

EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.